avaddon | 33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
Size

775KB
MD5

66ef4802ece3a0d62cab8be7d6065c8d
SHA1

bf9bf0b3242ffb55726d8886480b23fc60b756c2
SHA256

33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e
SHA512

84f3122608910846ea3b9c23170a2dd371b7f14e63362f5082a8d1dde154911b68e75c05f947e594333d7bdad455e67e4b43cd79afbd4d8f6d6361a53ef6427c
SSDEEP

24576:+Csl9+OXLpMePfI8TgmBTCDqEbOpPtpFa8xfq:Y+OXLpMePfzVTCD7gPtLaUfq

Score

10^/10

avaddon evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\l0GqT_readme_.txt

Family

avaddon

Ransom Note

-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .BcBcCDeDEC You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTcyOC0yN3RycE5hUFMyU25LNllyZkQwWDdrdXhYaThoR24wNlhDcjJTV0xqZ25yS3UwdmdtamV4VlR2UmUvRnlPejZwVlZiZDBUNDVYNE4xaHRZOFRDVWRmSkxML0M2OGE2T1JnSHc4WUtoZWZGREVqRllURXZGYTNXOWorMUdWZElHeU50LzRsbFRoSTQ2MjZ3RGJaaFhtbytzNnhxU1dLbnhaM0F4TXhKTnhQVXVRUkZmMlBFMTYvdzVtK01Ca1BxL05lV0hMUE5BZkxrTTJEbE5uNjBxcUhGeHZlVVJxdHRuRWJtSHM0RitHcTdsTTF6TGtOSmFhYmpUV1VRaXhIaVpUU015MVNFNkxsbGNwU0pSRm1kWENoZE93U1ZxTVY1MzRGVlFZNGNWdDM3YzF1b2Z6NVNNeWExL2EwK1dTb3RoRTdtb2JmVFZ5OVE5RjMyOXBWdTI5RDF5Ykc4bFlBQ0NaQWJSOUd5azVON0dEUG9SSjUwSXdxcENHQlUwMFVDWnMxbkZkSUkwQ04vMWlEbyswaTVsOEhvRTFaVG1tKzVGNVdKdGtIRXFQQ3FLbnI3OUx0Y1hPWlZObk95MzFHVVF1SjVmUXdGbDdEa2dCY043VzZvY254TzV6aWh2NEt0Sm41UjUvcEU5OUhvQzRuaDBSRjVwY1c0QlAvd0ZpS1gzSmVrMWcxaDRsaTJlSzFieC9EMjVrMFIrYnc3VTZ0M1VtM1pYV3ZaTjVNSmYvRGh5WDNMNW5ZRjFZYnJudTZoanVvd3IxaWlhT2hSZDBwcjcvTk5vY0tBVVNML0V6cVpkZm1NOEJrMjRSSVlydTAyTkU3WlBObEl5bjUxR2hpblB5SHdTUFo4K1YxMkQ2aWwxSmJMR25oeTFTUzhIQnlYbUYxenJFRzdsa1RlU2p3SnN5SUxTSFlGemZGQnh5Vnd4WmNWTkVTa0RyQjRIckd2TmJyZmE4NDl5alI5dnZrdVlWeUN1TnI4ZytDWUFDMkV4VkZSRER2M3lMV3VCTEJxajlwbE1jTWs1ZXdXa3p6RTl3SGpvK1AwdGs1T2J2TXJWb21RdHNGbmUrd0tndU00Y1hyNkRpRy95ZUk5aXllMTZ3dUo3R3UrWGo1TWh1OFVIZ3d4Ym04ZFZXSjh0aTBYL2Zsbm1XUUVxOUF5Y2ZxQnl2OGZlQjhHOG92YThLZ2hnNzdBR2d2Wk9MSzBxbW1QdDhCdklyZ2oyb3cxNWdEYUpwTVpxVHlKNXhqSVY4eHdMY3pXdmdBQ3RqSWpwVmJLeEp2M2Z2YXZQcXNVZ3I4eHRZQjBtN0ErMWRoODNJWEt3eFBYeThlUjN5bnYzUjErM21lbktZaXpCRU43NGFQMFpYR3VYcW1ydTE0clp5TnhRNi9jbm4yZzBUQ3dmMTF4T0MyY0QzNkJXZ25vc0VabDk3TUJPaDJzMnk5aWM4eXBsaFJrN0lSOVVQT0NMaVNFSWlyRGVhVWJVY3pJdkpQT3JHSVFDclY4T0t6cTdsUEc3QmF0d0RjRk9ycXFyd1Fua0Fya0ZrMXBtR0prVDNZOWRGL2poV09zdmFwUk4rdktVVE9FZ215emFsc3N0enJnNUYrWFZwdnVKTjQ1cGhCZTdBUVp1ZHpCak93Z0EzdlFZcXNKNnB6SGRHVktVVXBxME0zdU5DN1Vaek1EK0Z3NjlSSzJFa3BxQ3M1bENJZ0dYMzh5bFBwUjFYd3JQYmNTMHd3aVBhS3FsdU5rTGVPYnhkancwTXE1R25XUXdPL2x3VVVYelV5S1ZuMmhMcU16dXNHTzBTaVM2NE96Uy8vbllhNVN2YnpTL09jRnFVNnlpb2MvOEZTU2JGSVdkdkVRNDVaRlRiOG9BS3lvWEg3US9VK2Jvd3Z5K1BNSkg4cjJwWHNTUEpqS1QwQWt6c0h1THdXRVlSUEM3QW5wSHErRFM4NytMSndFYmFTbVVDWVFnaWdCRktvdW5BV2w1aEMwa3RvZ0dWeS9RYXNLQzhQSVpMWnNqRmk3akc3bU5iYmp5QVZFeG9pbGdLV0dZRVFsdFpLNHUrZzd6WjR2QXQ1anNLSnVnNEhnT3N0T0ZCTW96ejNQTUxLVVhwWWlMd0JCTEpBYnJDeUZoTktPUW03KzYwcEJ4Qzlsa3ZYSW1jWDRxc2VEVjlXdz09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 8csDonvSgbT

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Downloads\l0GqT_readme_.txt

Family

avaddon

Ransom Note

URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon

Avaddon payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012250-593.dat	family_avaddon

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2632	wmic.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2632	wmic.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2632	wmic.exe	28

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (204) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
1448	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\B:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\G:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\H:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\K:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\P:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\Z:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\E:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\I:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\M:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\Q:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\R:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\T:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\Y:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\F:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\L:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\U:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\J:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\N:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\O:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\S:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\V:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\W:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
File opened (read-only)	\??\X:	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1020	vssadmin.exe
1456	vssadmin.exe
1992	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2376	wmic.exe
Token: SeSecurityPrivilege	2376	wmic.exe
Token: SeTakeOwnershipPrivilege	2376	wmic.exe
Token: SeLoadDriverPrivilege	2376	wmic.exe
Token: SeSystemProfilePrivilege	2376	wmic.exe
Token: SeSystemtimePrivilege	2376	wmic.exe
Token: SeProfSingleProcessPrivilege	2376	wmic.exe
Token: SeIncBasePriorityPrivilege	2376	wmic.exe
Token: SeCreatePagefilePrivilege	2376	wmic.exe
Token: SeBackupPrivilege	2376	wmic.exe
Token: SeRestorePrivilege	2376	wmic.exe
Token: SeShutdownPrivilege	2376	wmic.exe
Token: SeDebugPrivilege	2376	wmic.exe
Token: SeSystemEnvironmentPrivilege	2376	wmic.exe
Token: SeRemoteShutdownPrivilege	2376	wmic.exe
Token: SeUndockPrivilege	2376	wmic.exe
Token: SeManageVolumePrivilege	2376	wmic.exe
Token: 33	2376	wmic.exe
Token: 34	2376	wmic.exe
Token: 35	2376	wmic.exe
Token: SeIncreaseQuotaPrivilege	2524	wmic.exe
Token: SeSecurityPrivilege	2524	wmic.exe
Token: SeTakeOwnershipPrivilege	2524	wmic.exe
Token: SeLoadDriverPrivilege	2524	wmic.exe
Token: SeSystemProfilePrivilege	2524	wmic.exe
Token: SeSystemtimePrivilege	2524	wmic.exe
Token: SeProfSingleProcessPrivilege	2524	wmic.exe
Token: SeIncBasePriorityPrivilege	2524	wmic.exe
Token: SeCreatePagefilePrivilege	2524	wmic.exe
Token: SeBackupPrivilege	2524	wmic.exe
Token: SeRestorePrivilege	2524	wmic.exe
Token: SeShutdownPrivilege	2524	wmic.exe
Token: SeDebugPrivilege	2524	wmic.exe
Token: SeSystemEnvironmentPrivilege	2524	wmic.exe
Token: SeRemoteShutdownPrivilege	2524	wmic.exe
Token: SeUndockPrivilege	2524	wmic.exe
Token: SeManageVolumePrivilege	2524	wmic.exe
Token: 33	2524	wmic.exe
Token: 34	2524	wmic.exe
Token: 35	2524	wmic.exe
Token: SeIncreaseQuotaPrivilege	2556	wmic.exe
Token: SeSecurityPrivilege	2556	wmic.exe
Token: SeTakeOwnershipPrivilege	2556	wmic.exe
Token: SeLoadDriverPrivilege	2556	wmic.exe
Token: SeSystemProfilePrivilege	2556	wmic.exe
Token: SeSystemtimePrivilege	2556	wmic.exe
Token: SeProfSingleProcessPrivilege	2556	wmic.exe
Token: SeIncBasePriorityPrivilege	2556	wmic.exe
Token: SeCreatePagefilePrivilege	2556	wmic.exe
Token: SeBackupPrivilege	2556	wmic.exe
Token: SeRestorePrivilege	2556	wmic.exe
Token: SeShutdownPrivilege	2556	wmic.exe
Token: SeDebugPrivilege	2556	wmic.exe
Token: SeSystemEnvironmentPrivilege	2556	wmic.exe
Token: SeRemoteShutdownPrivilege	2556	wmic.exe
Token: SeUndockPrivilege	2556	wmic.exe
Token: SeManageVolumePrivilege	2556	wmic.exe
Token: 33	2556	wmic.exe
Token: 34	2556	wmic.exe
Token: 35	2556	wmic.exe
Token: SeIncreaseQuotaPrivilege	2524	wmic.exe
Token: SeSecurityPrivilege	2524	wmic.exe
Token: SeTakeOwnershipPrivilege	2524	wmic.exe
Token: SeLoadDriverPrivilege	2524	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2364	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	35
PID 1876 wrote to memory of 2364	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	35
PID 1876 wrote to memory of 2364	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	35
PID 1876 wrote to memory of 2364	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	35
PID 1876 wrote to memory of 1020	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	40
PID 1876 wrote to memory of 1020	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	40
PID 1876 wrote to memory of 1020	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	40
PID 1876 wrote to memory of 1020	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	40
PID 1876 wrote to memory of 1408	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	42
PID 1876 wrote to memory of 1408	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	42
PID 1876 wrote to memory of 1408	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	42
PID 1876 wrote to memory of 1408	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	42
PID 1876 wrote to memory of 1456	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	44
PID 1876 wrote to memory of 1456	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	44
PID 1876 wrote to memory of 1456	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	44
PID 1876 wrote to memory of 1456	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	44
PID 1876 wrote to memory of 2796	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	46
PID 1876 wrote to memory of 2796	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	46
PID 1876 wrote to memory of 2796	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	46
PID 1876 wrote to memory of 2796	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	46
PID 1876 wrote to memory of 1992	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	48
PID 1876 wrote to memory of 1992	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	48
PID 1876 wrote to memory of 1992	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	48
PID 1876 wrote to memory of 1992	1876	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe	48
PID 1456 wrote to memory of 1448	1456	taskeng.exe	54
PID 1456 wrote to memory of 1448	1456	taskeng.exe	54
PID 1456 wrote to memory of 1448	1456	taskeng.exe	54
PID 1456 wrote to memory of 1448	1456	taskeng.exe	54

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
"C:\Users\Admin\AppData\Local\Temp\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1876
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:2364
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1020
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:1408
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1456
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:2796
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1992

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1356

C:\Windows\system32\taskeng.exe
taskeng.exe {9EC3AC4E-BAB1-4FFB-BDE3-4F9A68D81BEB} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe
  2⤵
  - Executes dropped EXE
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e.exe

Filesize
775KB

MD5
66ef4802ece3a0d62cab8be7d6065c8d

SHA1
bf9bf0b3242ffb55726d8886480b23fc60b756c2

SHA256
33d390c351632b45a20a8a9939ef5794fcc2bb52b02201aa54de31b7f7bc396e

SHA512
84f3122608910846ea3b9c23170a2dd371b7f14e63362f5082a8d1dde154911b68e75c05f947e594333d7bdad455e67e4b43cd79afbd4d8f6d6361a53ef6427c

Download Submit
C:\Users\Admin\Desktop\l0GqT_readme_.txt

Filesize
3KB

MD5
2250d14138abc188771890a81cf536cd

SHA1
295d29fa7489b4a3f536339fefd73eafc91d2fe2

SHA256
69a1acc4211c5a74cede07a6a89169bd3bd1617fee5fadebd643ab98e1ab2db1

SHA512
8140e4beafe7c0149b080c4cdf7354329c02d52991852dbd3a182b041b0225dcc29619eac68d0eba2bf977b1e4c2ee99fa44dbf953e40a8a2244201c37559f31

Download Submit
C:\Users\Admin\Downloads\l0GqT_readme_.txt

Filesize
3KB

MD5
4715ea2453c07e61851a5d2038b41584

SHA1
6451b6166634b4a7e4bc2b5cebb4d760081674fd

SHA256
597ead2e955df992731d8a3763bde793c5b7f5dd9acd473458c93ef53ac8bb50

SHA512
e849e16da9b72f9061b9604e322fe506c1000bfdbe679e9f3d5fa67558659d835c6d6d8d8f766a1283530c6cc7b444a9cb57a58e06029e8fa23761a34d7d4fa3

Download Submit